Attorneys Detail BYOD Issues in Health Care
For the past few years, moving corporate data to the cloud has been the critical data security issue confronting I.T. professionals.
With the cloud transition well underway, focus has turned to securing end-user devices like smart phones and tablet computers, and in particular, the use of employee-owned devices for business purposes--a concept known as “bring-your-own-device” or BYOD. The benefits of BYOD often include reduced hardware costs for the company as well as greater employee satisfaction from using a single portable device for workplace and personal use.
For many companies permitting BYOD, data security concerns generally focus around loss or theft of intellectual property and trade secrets. However, for companies in the health care sector, developing and implementing a BYOD program requires careful planning and development to comply with security standards under the Health Insurance Portability and Accountability Act of 1996. Moreover, amendments in the HITECH Act in 1999 expanded HIPAA security standards beyond covered entities to encompass business associates--including vendors, contractors, and subcontractors that access, use, disclose, or create PHI on covered entities’ behalf. What follows is a brief summary of certain risks associated with BYOD programs, as well as suggestions for developing and implementing a BYOD program.
Failure to properly implement a BYOD program can be a costly error because the HITECH Act also put teeth into HIPAA enforcement efforts in the form of increased penalties for violations and expanded enforcement authority at both the federal and state levels. The HHS Office for Civil Rights, the federal agency responsible for HIPAA enforcement, has certainly responded. In two recent settlement agreements with health care organizations that had data breaches, OCR has revealed its concern about the security risks presented by portable electronic devices and also revealed its approach to security. OCR required Phoenix Cardiac Surgery, P.C., a small cardiac physician practice, to submit evidence of measures to encrypt or otherwise secure electronic protected health information transmitted or stored on portable devices, “including text messaging of ePHI.” OCR also required the Alaska Department of Health and Social to “implement device and media controls and address device and media encryption.” OCR’s actions in these cases reinforce the importance of safeguarding end-user devices, and developing comprehensive policies and procedures governing their use.
The challenge confronting health care organizations--covered entities and business associates alike--is balancing HIPAA security compliance and enforcement risk with BYOD program benefits. These seemingly conflicting goals are not mutually exclusive, provided that organizations approach BYOD implementation and administration in a strategic, thoughtful, and well-planned manner. There is no one-size-fits-all approach. Rather, each organization should specifically tailor its own BYOD policies and practices to meet its own business needs and address its own unique data security risks and vulnerabilities.
Before rolling out a BYOD program, healthcare organizations must complete a comprehensive risk assessment, which serves several purposes. First and foremost, the risk assessment may reveal that employees are already using their own devices for the transmission of health and other work-related information. The risk assessment will also reveal whether BYOD is technically and/or financially infeasible for the organization. Assuming BYOD is feasible, the risk assessment allows the organization to select the best technical means for program implementation, and develop the specific policies and procedures governing BYOD administration and management. Finally, should OCR ever audit or investigate an organization, the risk assessment provides critical documentation supporting its BYOD program development, management and compliance with HIPAA security rule requirements.
So what are some common threats associated with mobile device security and BYOD? While not exhaustive, here are a few to consider. Lack of physical control over the device should be high on the list for every healthcare organization--the baseline assumption always is that the device will be lost or stolen, or at the very least, accessible to unauthorized third parties. Organizations also must consider various technical issues, which include the use of untrusted devices, networks, and/or applications; support for multiple mobile operating systems; installation of security patches and software updates; and interaction with other systems for data synchronization and storage.
Personnel issues are among the more difficult encountered in BYOD program development. For example, employees may resist the adoption and installation of the organization’s security policies and measures on their personal devices, and oppose the use of encryption for local storage and electronic communications. Employees also may not promptly report the theft or loss of a device, which can compromise an organization’s ability to respond to a security incident. Organizations also must detect and prevent “jail breaking” of the device where the employee circumvents the organization’s security policies and measures.
Making BYOD an “opt-in” program can further several goals for the organization. By using a consent form or other written agreement signed by the employee, the healthcare organization can obtain any necessary consent from the employee with respect to his or her personal device and set the general conditions for participation in the BYOD program. Such consent forms might authorize the organization to, for example: install, update, and administer necessary security software and ensure proper configuration; remotely wipe and/or lock the device if lost, stolen, or otherwise compromised; and enforce the organization’s data access, use, and other security policies. The consent form can also serve to notify the employee that violation of the organization’s BYOD policies may result in disciplinary action and/or loss of the privilege to use a personal device for business purposes.
Organizations also need to consider the technical aspects of BYOD implementation, and whether and how to integrate mobile devices into existing IT infrastructure. Three common approaches for securing mobile devices are (listed from most to least secure) virtualization, the “walled garden,” and limited separation. Under virtualization, the organization provides remote access to its computing resource via the mobile device so that no data or company application processing is stored or occurs on the employee’s personal device. The “walled garden” method segregates the organization’s data and applications within a secured partition, thereby ensuring that personal data and applications do not intermingle with those belonging to the organization. Finally, limited separation, the least secure approach, permits the comingling of the organization and personal data and applications but still employs and enforces minimum security controls and policies.
Employing a mobile device management (“MDM”) solution can help healthcare organizations address the technical aspects of BYOD implementation in a cost-effective way. MDM solutions contain various tools to address certain BYOD security issues. For example, MDM solutions often support multiple mobile device operating systems, employ user authentication mechanisms and secure communication methods, and support remote device management and policy enforcement. A variety of MDM solutions are commercially available, so it is important for organizations to survey the market to select the best fit.
From a policy development standpoint, organizations must define how the use of mobile devices will support its overall mission and business goals, and consider some other fundamental questions and issues. For example, what types of mobile devices will the organization support? Which employees or classes of employees will the organization permit to use mobile devices for business purposes? Will employees be permitted to store and/or transmit ePHI locally on the device and, if so, how will the organization encrypt such data?
Done correctly, BYOD programs can help healthcare organizations meet business and budgetary needs while fulfilling HIPAA security standards. However, significant compliance risk can arise from disorganized or insufficient program development, implementation, and administration.
Dianne Bourque and Stephen Bentfield are attorneys in the health law section of the law firm Mintz, Levin, Cohn, Ferris, Glovsky & Popeo.